Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-2089 - Before 4 Plugin
The Bold Page Builder WordPress plugin before 4.3.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Before 4
CVE-2022-2089
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1220 - Before 4 Plugin
The FoxyShop WordPress plugin before 4.8.2 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-1220
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1894 - Before 4 Plugin
The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is disallowed
PLUGIN
Before 4
CVE-2022-1894
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1995 - Before 4 Plugin
The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2022-1995
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1029 - Before 4 Plugin
The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2022-1029
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0444 - Before 4 Plugin
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.
PLUGIN
Before 4
CVE-2022-0444
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1717 - Before 4 Plugin
The Custom Share Buttons with Floating Sidebar WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
PLUGIN
Before 4
CVE-2022-1717
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25088 - Before 4 Plugin
The XML Sitemaps WordPress plugin before 4.1.3 does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2021-25088
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1724 - Before 4 Plugin
The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-1724
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1456 - Before 4 Plugin
The Poll Maker WordPress plugin before 4.0.2 does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfiltered_html is disallowed
PLUGIN
Before 4
CVE-2022-1456
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1093 - Before 4 Plugin
The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed.
PLUGIN
Before 4
CVE-2022-1093
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0836 - Before 4 Plugin
The SEMA API WordPress plugin before 4.02 does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated users
PLUGIN
Before 4
CVE-2022-0836
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25102 - Before 4 Plugin
The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk
PLUGIN
Before 4
CVE-2021-25102
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0953 - Before 4 Plugin
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.96 does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters
PLUGIN
Before 4
CVE-2022-0953
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-1094 - Before 4 Plugin
The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 4
CVE-2022-1094
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4225 - Before 4 Plugin
The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.
PLUGIN
Before 4
CVE-2021-4225
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0737 - Before 4 Plugin
The Text Hover WordPress plugin before 4.2 does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 4
CVE-2022-0737
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0914 - Before 4 Plugin
The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and retrieve the list of titles for example
PLUGIN
Before 4
CVE-2022-0914
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0892 - Before 4 Plugin
The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-0892
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0271 - Before 4 Plugin
The LearnPress WordPress plugin before 4.1.6 does not sanitise and escape the lp-dismiss-notice before outputting it back via the lp_background_single_email AJAX action, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-0271
Risk Score